You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by gs...@apache.org on 2015/11/26 23:48:55 UTC
svn commit: r1716781 - in /qpid/trunk/qpid/cpp/src:
qpid/broker/amqp/Session.cpp tests/acl_1.py
Author: gsim
Date: Thu Nov 26 22:48:55 2015
New Revision: 1716781
URL: http://svn.apache.org/viewvc?rev=1716781&view=rev
Log:
QPID-6754: ensure anonymous-relay doesn't expose ability to detect whether or not entity exists for those without permissions
Modified:
qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp
qpid/trunk/qpid/cpp/src/tests/acl_1.py
Modified: qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp?rev=1716781&r1=1716780&r2=1716781&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp (original)
+++ qpid/trunk/qpid/cpp/src/qpid/broker/amqp/Session.cpp Thu Nov 26 22:48:55 2015
@@ -968,6 +968,7 @@ void AnonymousRelay::handle(qpid::broker
{
// need to retrieve AMQP 1.0 'to' field and resolve it to a queue or exchange
std::string dest = message.getTo();
+ authorise.access(dest, false, false);
QPID_LOG(debug, "AnonymousRelay received message for " << dest);
boost::shared_ptr<qpid::broker::Exchange> exchange;
boost::shared_ptr<qpid::broker::Queue> queue;
Modified: qpid/trunk/qpid/cpp/src/tests/acl_1.py
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/cpp/src/tests/acl_1.py?rev=1716781&r1=1716780&r2=1716781&view=diff
==============================================================================
--- qpid/trunk/qpid/cpp/src/tests/acl_1.py (original)
+++ qpid/trunk/qpid/cpp/src/tests/acl_1.py Thu Nov 26 22:48:55 2015
@@ -270,23 +270,41 @@ class Acl_AMQP1_Tests (VersionTest):
def test_publish_to_anonymous_relay(self):
self.acl.allow('bob', 'access', 'exchange', 'name=ANONYMOUS-RELAY')
self.acl.allow('bob', 'access', 'queue', 'name=acl_test_queue')
+ self.acl.allow('bob', 'access', 'exchange', 'name=acl_test_queue')
self.acl.allow('bob', 'publish', 'exchange', 'routingkey=acl_test_queue')
self.acl.allow('bob', 'access', 'exchange', 'name=amq.topic')
+ self.acl.allow('bob', 'access', 'queue', 'name=amq.topic')
self.acl.allow('bob', 'publish', 'exchange', 'name=amq.topic', 'routingkey=abc')
+ self.acl.allow('bob', 'access', 'exchange', 'name=amq.direct')
+ self.acl.allow('bob', 'access', 'queue', 'name=amq.direct')
self.acl.allow('alice').deny().apply()
sender = self.bob.sender("<null>")
sender.send(Message("a message", properties={'x-amqp-to':'acl_test_queue'}), sync=True)
sender.send(Message("another", subject='abc', properties={'x-amqp-to':'amq.topic'}), sync=True)
try:
+ # have access permission, but publish not allowed for given key
sender.send(Message("a third", subject='def', properties={'x-amqp-to':'amq.topic'}), sync=True)
assert False, "bob should not be allowed to send message to amq.topic with key 'def'"
except UnauthorizedAccess: pass
sender = self.bob.sender("<null>")
try:
+ # have access permission, but no publish
sender.send(Message("a fourth", subject='abc', properties={'x-amqp-to':'amq.direct'}), sync=True)
assert False, "bob should not be allowed to send message to amq.direct"
except UnauthorizedAccess: pass
+ sender = self.bob.sender("<null>")
+ try:
+ # have no access permission
+ sender.send(Message("a fiftth", subject='abc', properties={'x-amqp-to':'amq.fanout'}), sync=True)
+ assert False, "bob should not be allowed to send message to amq.fanout"
+ except UnauthorizedAccess: pass
+ sender = self.bob.sender("<null>")
+ try:
+ # have no access permission
+ sender.send(Message("a sixth", properties={'x-amqp-to':'somewhereelse'}), sync=True)
+ assert False, "bob should not be allowed to send message to somewhere else"
+ except UnauthorizedAccess: pass
sender = self.alice.sender("<null>")
sender.send(Message("alice's message", properties={'x-amqp-to':'abc'}), sync=True)
sender.send(Message("another from alice", properties={'x-amqp-to':'def'}), sync=True)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org